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Abstract 

The two primary decoding algorithms for Reed-Solomor\ codes are the 
Berlekamp-Massey algorithm and the Sugiyama et al. adaptation of the Eu- 
clidean algorithm, both designed to solve a key equation. In this article an 
alternative version of the key equation and a new way to use the Euclidean 
algorithm to solve it are presented, which yield the Berlekamp-Massey al- 
gorithm. This results in a new, simpler, and compacter presentation of the 
Berlekamp-Massey algorithm. 

1 Introduction 

For correcting Reed-Solomon codes the primary tools are the so-called locator 
and evaluator polynomials. Once we know them, the error positions are de- 
termined by the inverses of the roots of the locator polynomial and the error 
values can be computed by a formula due to Forney ISj which uses the eval- 
uator and the derivative of the locator evaluated at the inverses of the error 
positions. 

Berlekamp presented in U a key equation determining the decoding poly- 
nomials for primal Reed-Solomon codes. The Berlekamp-Massey algorithm, 
which unites Massey's perspective in [6J with Berlekamp's work, is the most 
prominent algorithm for decoding Reed-Solomon codes. It is based on hnear 
feedback shift registers. Sugiyama et al. introduced in |!8] an alternative algo- 
rithm for solving the key equation based on the Euclidean algorithm for com- 
puting the greatest common divisor of two polynomials and the coefficients of 
the Bezout identity. The Berlekamp-Massey algorithm is widely accepted to 
have better performance than the Sugiyama algorithm, although its formula- 
tion is perhaps more difficult to imderstand. The connections between the two 
algorithms were analyzed in 121 ID- 
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In this work we take the perspective of dual Reed Solomon codes. In Sec- 
tion|2]we present a key equation for dual Reed-Solomon codes and in Section|4] 
we introduce a Euclidean-based algorithm for solving it, following Sugiyama's 
idea. While the standard key equation for primal Reed-Solomon codes states 
that a linear combination of the decoding polynomials is a multiple of a cer- 
tain power of X, in the key equation presented here the linear combination has 
boimded degree. Another important difference is that in the Sugiyama algo- 
rithm the locator and evaluator polynomials play the role of one of the Bezout's 
coefficients and the remainder respectively, while in the Euclidean algorithm 
presented here the locator and evaluator polynomials play the role of the two 
coefficients of the Bezout identity. 

The decoding polynomials are now slightly different and in a sense more 
natural, since the error positions are given by the roots themselves of the lo- 
cator polynomial rather than their inverses and the error values are obtained 
by evaluating the evaluator polynomial and the derivative of the locator poly- 
nomial at the error positions rather than evaluating them at the inverses of the 
error positions. In addition, the equivalent of the Forney formula does not have 
the minus sign. 

In Section|S]we show that the intermediate remainders computed in the Eu- 
clidean algorithm are not necessary to find the Bezout coefficients. This leads 
to a proof of the fact that the new Euclidean-based algorithm is the Berlekamp- 
Massey algorithm. 

2 Key equations for decoding Reed-Solomon codes 
revisited 

In this section we will first establish the notions and notations related to Reed- 
Solomon codes that we will use in the present work. A general reference is IZj. 
We will present the usual decoding polynomials for primal codes, and analo- 
gous — ^but different — decoding polynomials for dual codes. We will see that 
each set of polynomials satisfies a key equation, which can be written in the 
form of intermediate Bezout identities. In the primal case the key equation is 
Berlekamp's key equation and the adaptation of the extended Euclidean algo- 
rithm for solving it is the algorithm of Sugiyama et al. In the dual case the 
key equation is new and the discussion of the extended Euclidean algorithm 
for solving it is the aim of the present work. It turns out that the definitions 
we use for dual codes, are more natural in the context of general codes from 
curves; see e.g. 13. 

Settings and notations 

Let F be a finite field of size q and let a be a primitive element in F. Let n = 
q — 1. We identify the vector u — {uq, . . . , u„-i) with the polynomial u{x) = 
uo + ■ ■ ■ + Un-ix^^^ and denote u{a) the evaluation of u{x) at a. Classically 
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the Reed-Solomon code C* (k) of dimension k is defined as the cyclic code with 
generator polynomial 
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The dual Reed-Solomon code C{k) of dimension k is the cyclic code with 
generator polynomial 

(x - a-('=+i))(x - a-('^'+2)) • • • (x - a-("^i))(x - 1). 

Its generator matrix is 
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To emphasize the difference between Reed-Solomon codes and their du- 
als we will call the former ones primal Reed-Solomon codes. Both codes have 
minimum distance d = 71 — fc + 1. Furthermore, C(fc)^ = C*(n — fc). There is 
a natural bijection from F" to itself which we denote by c c*. It takes C(fc) 
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to C*{k). The codeword c* can be defined either as iG*{k) e C*{k) where i 
is the information vector of dimension k such that c = iG{k) G C(fc) or com- 
ponentwise as c* — (cq, a^^ci, Q!~^C2, . . . , ac„_i) where c (cq, ci, . . . , c„_i). 
Then, 

c= (co,aCi,a C2,...,a c„_i). (1) 

In particular, c(a') = ^ + ac^a' + a^^a^' + ■ ■ ■ + a"-^c*„_^a^"~'^'>' = c*{a'+^). 

A decoding algorithm for a primal Reed-Solomon code may be used to de- 
code a dual Reed-Solomon code by first applying the bijection * to the received 
vector u. If u differs from a codeword c G C{k) by an error vector e of weight t, 
then u* differs from the codeword c* G C* (k) by the error vector e* of weight t. 
If the primal Reed-Solomon decoding algorithm can decode u* to obtain c* and 
e* then, transforming by the inverse of * we may obtain c and e. Conversely, 
a decoding algorithm for a dual Reed-Solomon code may be used to decode a 
primal Reed-Solomon code by applying the inverse of *, decoding, and then 
applying *. 

Key polynomials 

Suppose that a word c* G C*{k) is transmitted and that an error e* occurred, 
so that u* ~ c* + e* is received. Define the error locator polynomial A* and the 
error evaluator polynomial O* as 

A* = (l-a'x), i^* = J2 n 

If A* and O* are known, the error positions can be identified as the indices 
i such that 

A*{a-') = 

and the error values can be computed by the Forney formula ||3) 

A*'(a-'')' 

Analogously, for dual Reed-Solomon codes, suppose that a word c ^ C{k) 
is transmitted and that an error e occurred, so that m = c + e is received. In this 
case define the error locator polynomial A and the error evaluator polynomial fl as 

Now, if A and fl are known, the error positions can be identified as the 
indices i such that 

A(a') = 

and the Forney formula for error values is somewhat simpler, 

_ n{a') 
~ A'(aO' 
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It is easy to check that when the error vectors e and e* satisfy the relation- 
ship ([ij, then the polynomials A, fl, associated to the error e are related to the 
polynomials A*, O*, associated to the error e* as follows: 

A = a;*A*(l/a;), n = x*-^n*{l/x), (2) 

where t = \e\ = \e*\. 

Key equations 

The syndrome polynomial is defined for primal codes as 

S* = e*(a) + e*{o?)x + e'{a^)x^ + • • • + e*(a")a;"-\ 

For dual codes define 

S ^ e(a""i) + e(a"-2)a; + • ■ • + e(a)a;"-2 + e(l)x"-^ 

Notice that while the general term of S* is e*(a*+^)x', the general term of S is 
e(a"~^~*)a;*. If the error vectors e and e* are related by ((HJ), then 

S = x''-^S*{\lx). (3) 

It is easily verified that 

AS* = (x" - (4) 

and, by (|2) and (|3]l, 

A*5* = (-2-" + 1)17*. 

For primal codes, from the received word we only know e* {a) ~ u* (a) , . . . , e* (a""''" ) = 
u*(a"~'^). This is why we use the truncated syndrome polynomial 

= e (a) + e (a jx + ■ • • + e (a jx 

Notice that A* 5* + (x" - = A* (5* - 5*) has only terms of order n - fc or 
larger and this implies 

h*S* = mod 

This is the key equation introduced by Berlekamp H) . Massey ||6l gave an 
algorithm for solving the key equation using linear feedback shift registers. 
Sugiyama et al. ||8l recognized that the extended Euclidean algorithm could 
also be adapted to solve this kind of equation for A* and O*, starting with 
r_2 = .t"^'^ and r_i = S* . Their method is often referred to as the Euclidean 
decoding algorithm for Reed Solomon codes. 

Analogously, for dual codes, from the received word we only know e(l) = 
. . . , e(a"^'^^^) = u{a^^^^^) . In this case we use the truncated syndrome 
polynomial 
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Observe that the polynomial AS* — (x' 

d/2 + k-l^n- d/2. That is 



— l)ri = A(S' — S) has degree less than 



deg(AS' - (x" - <n-d/2 



(5) 



The aim of the present work is to deal with this alternative key equation for 
A and VL, solving it by the extended Euclidean algorithm starting with r_2 = 

— 1 and r_i = S. 



3 Extended Euclidean algorithm revisited 

Let F be a field. It is well known that given two polynomials a, 6 G F[a-] there 
exist two polynomials f,gG ¥[x] such that 

fb + ga = gcd(a,6). 

This equality is commonly known as Bezout's identity. We refer to / and g as 
the Bezout coefficients. The extended Euclidean algorithm computes not only 
gcd(a, b) but also the Bezout coefficients. For all i ^ 0, the algorithm produces 
fi, gi and such that 

f^b + g,a = ri. (6) 

and for some n, r„ = god (a, b). We will refer to the equalities ^ as Bezout's 
intermediate identities and the coefficients fi and gi as the intermediate Bezout 
coefficients. The extended Euclidean algorithm is initialized with r_2 = 
r_i = b and /_i = 1, g-i = 0, /_2 = 0, g-2 = 1- For i ^ 0, let the Euclidean 

division of ri^2 by n-i be ri^2 = q,ri-i + n, and let /, = /i_2 - q, fi-i and 
gi = gi-2 — Qigi-i- The algorithm may then be expressed in matrix form as 



ri fi 9i \ ^ f-Qi l\ f I'l-i fi-i 9i-i 
n-i fi-i gi-i) VI oy lr.j_2 fi-2 gi-2 



(7) 



together with the initial condition 



r-i f-i g-i\ ^ fb 1 
r-2 f-2 g-2) U 1 



At each iteration we have the matrix equation 



Ji-i 3,-1/ \r-2) y i-i, 
We will make a series of alterations of the algorithm: first ensuring that 
certain polynomials are monic throughout the algorithm; second breaking the 
algorithm into steps for each individual coefficent of the quotient polynomials. 
Assume that a is monic. Consider the algorithm 

Initialize: 

-1 /-I g-i\ ^ fb 1 
-1 /-I g-ij U 1 
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while Ti ^ 0, 



^li = LC(ri) 
qi = Quotient(/ii fi, r'i) 

end while 
Return fi,fi,gi 

It is clear that gcd(ri, f^) = gcd(a, &) for all i. Furthermore, is monic by 
construction and qi is also monic. Clearly, deg(/i+i) = deg(/i), and one can 
see using induction that deg(/i) is strictly increasing and that the /; are also 
monic. 

Now consider the division of a monic polynomial ahyb ^ 0. Let yu = LC(6), 
let d = deg(a) — deg(&) and let q{x) = Quotient(/xa, 6) = go + qix + • • • + 



Qd-ix +x . We have the factorization 



tively define. 



Rj \0 1 J \Rj-i 

c'' + qd-ix'^^^ + ■■■ + qd-j+ix'^^^+^ ( b 



Note that for j > 0, Rj = is monic and that deg(i?j) $J deg(6) + d — j = 
deg(a)— j with^gfd_j = -Coefficient(i?j, deg(a)-j). Wemaythinkof deg(a) — 
j as a boimd on the degree of the partial remainders Rj that decreases as j 
increases. As j goes from to 1 we have deg(-Ri) ~ deg(i?o) and deg(i?i) ^ 
deg(i?o) - 1. 

We now alter the variant of the Euclidean algorithm given above by factor- 
ing all of the matrices | '^'^■^ '^M and including an iteration for each factor. 



We assume a is monic. We include two counters, dj is the degree of Rj, and dj 
is an upper bound for the degree of Rj . 



Initialize: 



do = deg(fe) 
do = deg(a) 
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while di 0, 



fii = Coefficient(i?i, di) 

p = di — di 

if p ^ or =0 then 

'Ri+i Gi^i\ (I —fj,ixP\ (Ri Fi Gi 



Ri+i Fi^i Gi^iJ \0 1 y \Ri Fi Gi 
di+i = di — 1 
di+i = di 



else 



di+i = di — 1 
di+i = di 

end if 

end while 
Return Ri , F„ Gi 



R^+^ Fj+i G,+i\ ^ fx-r- _^jA //?^, F, G, 
Ri+i Fi^i Gi+iJ J \Ri Fi Gi 



Proposition 1. In the algorithm above, for any i, 
1. 



Fi Gi 



2. Ri is monic of degree di; 

3. Ri has degree at most di; 

4. di + d^= deg{a) + deg{b) 

5. F,G, - F,G, = 1. 

6. Fi is monic and 

(a) 



— i; 



Furthermore, at termination, Ri 
da = with Fi monic. 



-deg{Fi)+d, >deg{F,)+d, 
Fib + Gitt is the monic gcd of a and b and Fib 



Proof. These results are proven by induction, with the base step an easy verifi- 
cation. We must check the induction step for each of the two update formulas — 
the first with p > or /i^ = and the second p <Q and ^i ^ 0. 



G, 
G, 



and 



Item (1) is immediate to prove using the fact that both 

are updated by multiplying by the same matrix. 

For item (2), note that the first update doesn't change R and d, so the result 
is immediate. With the second update Ri+i = Ri/ LC{Ri), so it is monic of 
degree = d^+i. 
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For item (3), and the first update, the coefficient of x'^* in both Ri and ^iiX^Ri 
is ^.i so deg(i?i+i) < di as desired. In the second update, the coefficient of a;**' 
in both x^PRi and fiiRi is /.j^ so deg(i?i+i) < di as desired. 

Item (4) is immediately verified. Item (5) follows from the inductive hy- 
pothesis by taking determinants in the update equation. For example, with the 
second update, 

/ ^^,+1 G,+i \ x~P -fM \fF, G,\ 

For item (6), consider the first update: Fj+i ~ Fi — fj.ix'^^^'^'Fi. By the 
induction hypothesis, deg(Fi) > deg(-Fi) + di — di, so deg(i^i+i) = deg{Fi) 
and FiJ^i is monic, since Fi is. Similarly, with the second update, deg(Fi_|-i) = 
deg(a;'''~'''Fi) > deg(Fi), so i^i+i is monic. As with item (5), using the obser- 
vation that the determinants of the update matrices are 1, we can prove that 
FiRi — FiRi ~ —a. Taking degrees gives the statement of item (6). 

It is easy to see that gcd{Ri,Ri) — gcd(a, b), for all i. At termination, we 
have Ri = so gcd(a, b) — Ri. This gives the final statement of the proposition. 

□ 



4 Euclidean algorithm for the new key equation 

Suppose u = c + e is the received word, with c belonging to the dual Reed- 
Solomon code C{k) and the error e having weight t. Let A, fl, S and S be the 
polynomials associated to e. We show that the extended Euclidean algorithm 
may be used to solve the alternative key equation 

Lemma 2. Let f e ¥[x] and a eW* be such that deg{f) < n and f{x) '^^~^ has no 
term of degree n — 1. Then f{a) = 0. 

Proof. Dividing / by a; — a, there exists y e F[a;] with deg(g) < ?7 — 1 such that 
fix) = f{a) + (x - a)g{x). Then /(.t)^ - fi^)^^ + 9ix){x" - !)• While 
g{x){x" — 1) has no terms with degrees between deg(.g) + 1 n — 1) and n — 1, 
f{a) ^^Sa coefficient of degree n — 1 equal to /(a). Therefore, if the term of 
f{x) ^^Za degree ?i — 1 is zero, then /(a) = 0. □ 

Lemma 3. Ifdeg{f) ^ n — t and fS has no terms of degrees n — t, . . . ,n — 1, then 
f is a multiple of A. 

Proof. Suppose fS has no terms of degrees n — t,...,n — l. Suppose e_, ^ and 
let 

9{x) = n ~ 
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Note that deg(.g) = t — 1 and so fgS has no term of degree n — 1. Now, 

/gS" = f{x)g{x) — 

^ 2;" — 1 

= y] ekj{x)g{x) 

= e,/(a;)5(x)^— i + efe/(a;)(x" - 1)^^^ 



Since both fgS and the right hand term in the previous sum have no compo- 
nent of degree n—1, neither does f{x)g{x)^—^. By the previous lemma, x — aj 
must divide /. Since j was chosen arbitrarily such that ej ^ 0, we conclude 
that A must divide /. □ 

The next lemma characterizes the decoding polynomials by means of the 
alternative key equation, the polynomial degrees, and their coprimality. 

Lemma 4. Suppose that t errors occurred with t < d/2. Then A and are the unique 
polynomials A, w satisfying the following properties. 

1. deg{\S - w(a;" - 1)) < n - d/2 

2. deg{X) s$ d/2 

3. X,bj are coprime. 

4. A is monic 

Proof. We have shown that A and fl satisfy item 1, and items 2, 3, 4 are easily 
verified. 

Suppose that A, lo satisfy items 1, 2. We will show that XS has no terms in 
degrees n — t, . . . ,n — 1. So, by Lemma |31 A is a multiple of A. Indeed, write 

XS = {XS - cj(a;" - 1)) + A(5' - S) + cj(a;" - 1). 

By 1, the first term has degree less than n — d/2 < n — t. By 2, deg(A(S' — S)) ^ 
d/2 + fc - 1 = n - fi/2 < 71 - i. By 1, deg(w) < deg(A) and by 2, deg(w) < d/2 
n — d/2 < n — t. So, — 1) has no terms in degrees n — t, . . . , 71 — 1. 
Suppose now that A = gh for some g G ¥[x\. Then 

XS~uj{x''-l) = -X{S-S) + XS-uj{x'' -1) 

= -X{S-S)+gAS-uj{x''-l) 

= -A(S'- S") - 1) - 1) 

= -X{S-S) + {gn-oj){x'' -1). 

By 1 deg(A5 - cj(a:" - 1)) <n- d/2 and by 2, deg(A(S' - S)) n - d/2. As a 
consequence, uj = gfl. Now items 3, 4 imply g = 1 and so A = A and lu = fl. □ 
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Consider the algorithm in Section |3] with a = — 1 and b = S, truncated 
when di < n — d/2, and returning Fi, Gi instead of Fi, Gi. 

Initialize: 

do = deg(5) 

do = n 

f Ro Fo Go \ S 1 ^ 

\ Ro Fo Go J \ 1 J 

while di ^ 71 — d/2: 

fii = Coefficient(/?i, di) 

p = di - di 

if p ^ or =0 then 

/ Ri+l + 1 Gi-^-l \ 

V Fi^i Gi+i J 
di+i = di — 1 
di+i = di 

else 

/ ^i+i Fi^i Gi+i \ 

V ^i+i Fi^i Gi+i J 
di+i = di — 1 
di+i = di 

end if 

end while 
Return Fi, d 

Theorem 5. Ift<d/2 then the algorithm outputs A and Q. 

Proof. All the conditions in Lemma HI except item 2, are easily checked using 
Proposition [T] 

For proving item 2 in that proposition notice that, by Proposition[lJ deg(i^i ) = 
n — di. By looking at the behavior of rf; and di we see that at the end of the algo- 
rithm, either di ^ do ~ n or di = dj for some j < i, and thus, with dj ^ n — d/2. 
\n both cases we get deg(Fi) ^ d/2. 

□ 

5 From the Euclidean to the Berlekamp-Massey al- 
gorithm 

In this section we will see that the previous algorithm and the Berlekamp- 
Massey algorithm are essentially the same. 



1 -fJLiXP 
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Fi Gi 
Fi Gi 



Fi Gi 
Fi Gi 
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Notice that the only reason to keep the polynomials Ri (and Ri) is that we 
need to compute their leading coefficients (the /i/s). We now show that these 
leading coefficients may be obtained without reference to the polynomials Ri . 
This allows us to compute the Fi , Gi iteratively and dispense with the polyno- 
mials Ri. 

On one hand, the remainder Ri ^ FiS ~ Gi{x"' — 1) = F^S* — a;"Gi + Gi has 
degree at most n — 1 for alH ^ 0. This means that all terms of x'^Gi cancel with 
terms of FiS and that the leading term of Ri must be either a term of or a 
term of G; or a sum of a term of FiS and a term of Gi. 

On the other hand, the algorithm only computes LC(i?i) while deg(i?i) ^ 
n — d/2. We want to see that in this case the leading term of Ri has de- 
gree strictly larger than that of Gi. Indeed, one can check that for i ^ 0, 
deg(Gi) < deg(Fi) and that all F/s in the algorithm have degree at most d/2. 
So deg(G,) < deg(FO ^d/2^n- d/2 < deg(i?«). 
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